Philipp Benz,Chaoning Zhang,Tooba Imtiaz,In So Kweon

DOI: https://doi.org/10.48550/arXiv.2010.03288

2020-10-07

Abstract:Despite their impressive performance, deep neural networks (DNNs) are widely known to be vulnerable to adversarial attacks, which makes it challenging for them to be deployed in security-sensitive applications, such as autonomous driving. Image-dependent perturbations can fool a network for one specific image, while universal adversarial perturbations are capable of fooling a network for samples from all classes without selection. We introduce a double targeted universal adversarial perturbations (DT-UAPs) to bridge the gap between the instance-discriminative image-dependent perturbations and the generic universal perturbations. This universal perturbation attacks one targeted source class to sink class, while having a limited adversarial effect on other non-targeted source classes, for avoiding raising suspicions. Targeting the source and sink class simultaneously, we term it double targeted attack (DTA). This provides an attacker with the freedom to perform precise attacks on a DNN model while raising little suspicion. We show the effectiveness of the proposed DTA algorithm on a wide range of datasets and also demonstrate its potential as a physical attack.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Hokuto Hirano,Kazuhiro Takemoto

DOI: https://doi.org/10.3390/a13110268

2019-11-18

Abstract:Deep neural networks (DNNs) are vulnerable to adversarial attacks. In particular, a single perturbation known as the universal adversarial perturbation (UAP) can foil most classification tasks conducted by DNNs. Thus, different methods for generating UAPs are required to fully evaluate the vulnerability of DNNs. A realistic evaluation would be with cases that consider targeted attacks; wherein the generated UAP causes DNN to classify an input into a specific class. However, the development of UAPs for targeted attacks has largely fallen behind that of UAPs for non-targeted attacks. Therefore, we propose a simple iterative method to generate UAPs for targeted attacks. Our method combines the simple iterative method for generating non-targeted UAPs and the fast gradient sign method for generating a targeted adversarial perturbation for an input. We applied the proposed method to state-of-the-art DNN models for image classification and proved the existence of almost imperceptible UAPs for targeted attacks; further, we demonstrated that such UAPs are easily generatable.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Donghua Wang,Wen Yao,Tingsong Jiang,Xiaoqian Chen

DOI: https://doi.org/10.1109/tip.2023.3345136

IF: 10.6

2023-01-01

IEEE Transactions on Image Processing

Abstract:Deep neural networks (DNNs) are shown to be vulnerable to universal adversarial perturbations (UAP), a single quasi-imperceptible perturbation that deceives the DNNs on most input images. The current UAP methods can be divided into data-dependent and data-independent methods. The former exhibits weak transferability in black-box models due to overly relying on model-specific features. The latter shows inferior attack performance in white-box models as it fails to exploit the model's response information to benign images. To address the above issues, this paper proposes a novel universal adversarial attack to generate UAP with strong transferability by disrupting the model-agnostic features (e.g., edges or simple texture), which are invariant to the models. Specifically, we first devise an objective function to weaken the significant channel-wise features and strengthen the less significant channel-wise features, which are partitioned by the designed strategy. Furthermore, the proposed objective function eliminates the dependency on labeled samples, allowing us to utilize out-of-distribution (OOD) data to train UAP. To enhance the attack performance with limited training samples, we exploit the average gradient of the mini-batch input to update the UAP iteratively, which encourages the UAP to capture the local information inside the mini-batch input. In addition, we introduce the momentum term to accumulate the gradient information at each iterative step for the purpose of perceiving the global information over the training set. Finally, extensive experimental results demonstrate that the proposed methods outperform the existing UAP approaches. Additionally, we exhaustively investigate the transferability of the UAP across models, datasets, and tasks.

Juanjuan Weng,Zhiming Luo,Dazhen Lin,Shaozi Li

2023-06-20

Abstract:The vulnerability of Convolutional Neural Networks (CNNs) to adversarial samples has recently garnered significant attention in the machine learning community. Furthermore, recent studies have unveiled the existence of universal adversarial perturbations (UAPs) that are image-agnostic and highly transferable across different CNN models. In this survey, our primary focus revolves around the recent advancements in UAPs specifically within the image classification task. We categorize UAPs into two distinct categories, i.e., noise-based attacks and generator-based attacks, thereby providing a comprehensive overview of representative methods within each category. By presenting the computational details of these methods, we summarize various loss functions employed for learning UAPs. Furthermore, we conduct a comprehensive evaluation of different loss functions within consistent training frameworks, including noise-based and generator-based. The evaluation covers a wide range of attack settings, including black-box and white-box attacks, targeted and untargeted attacks, as well as the examination of defense mechanisms. Our quantitative evaluation results yield several important findings pertaining to the effectiveness of different loss functions, the selection of surrogate CNN models, the impact of training data and data size, and the training frameworks involved in crafting universal attackers. Finally, to further promote future research on universal adversarial attacks, we provide some visualizations of the perturbations and discuss the potential research directions.

Computer Vision and Pattern Recognition

Changming Xu,Gagandeep Singh

2023-06-06

Abstract:Universal Adversarial Perturbations (UAPs) are imperceptible, image-agnostic vectors that cause deep neural networks (DNNs) to misclassify inputs with high probability. In practical attack scenarios, adversarial perturbations may undergo transformations such as changes in pixel intensity, scaling, etc. before being added to DNN inputs. Existing methods do not create UAPs robust to these real-world transformations, thereby limiting their applicability in practical attack scenarios. In this work, we introduce and formulate UAPs robust against real-world transformations. We build an iterative algorithm using probabilistic robustness bounds and construct such UAPs robust to transformations generated by composing arbitrary sub-differentiable transformation functions. We perform an extensive evaluation on the popular CIFAR-10 and ILSVRC 2012 datasets measuring our UAPs' robustness under a wide range common, real-world transformations such as rotation, contrast changes, etc. We further show that by using a set of primitive transformations our method can generalize well to unseen transformations such as fog, JPEG compression, etc. Our results show that our method can generate UAPs up to 23% more robust than state-of-the-art baselines.

Machine Learning,Cryptography and Security

Zifei Wang,Xiaolin Huang,Jie Yang,Nikola K. Kasabov

DOI: https://doi.org/10.1109/is48319.2020.9199956

2020-01-01

Abstract:The vulnerability of Deep Neural Networks (DNNs) to adversarial attacks has become an important research area of machine learning. It has been known that many state-of-the-art DNNs suffer the risk of universal adversarial perturbations, which are image-agnostic and able to lead misclassifications with high probability. In this paper, we propose a novel method to create such universal adversarial perturbations. Our approach is the first to generate universal perturbations by attacking the attention heat maps with the interpretation method, Layer-wise Relevance Propagation. It is demonstrated that our method achieves high fooling ratios on image classification DNNs pre-trained by ImageNet dataset. Moreover, our attack shows good transferability across different DNNs.

Kenneth T. Co,Luis Muñoz-González,Sixte de Maupeou,Emil C. Lupu

DOI: https://doi.org/10.1145/3319535.3345660

2019-11-23

Abstract:Deep Convolutional Networks (DCNs) have been shown to be vulnerable to adversarial examples---perturbed inputs specifically designed to produce intentional errors in the learning algorithms at test time. Existing input-agnostic adversarial perturbations exhibit interesting visual patterns that are currently unexplained. In this paper, we introduce a structured approach for generating Universal Adversarial Perturbations (UAPs) with procedural noise functions. Our approach unveils the systemic vulnerability of popular DCN models like Inception v3 and YOLO v3, with single noise patterns able to fool a model on up to 90% of the dataset. Procedural noise allows us to generate a distribution of UAPs with high universal evasion rates using only a few parameters. Additionally, we propose Bayesian optimization to efficiently learn procedural noise parameters to construct inexpensive untargeted black-box attacks. We demonstrate that it can achieve an average of less than 10 queries per successful attack, a 100-fold improvement on existing methods. We further motivate the use of input-agnostic defences to increase the stability of models to adversarial perturbations. The universality of our attacks suggests that DCN models may be sensitive to aggregations of low-level class-agnostic features. These findings give insight on the nature of some universal adversarial perturbations and how they could be generated in other applications.

Cryptography and Security,Machine Learning

Hong Liu,Rongrong Ji,Jie Li,Baochang Zhang,Yue Gao,Yongjian Wu,Feiyue Huang

DOI: https://doi.org/10.1109/iccv.2019.00303

2019-01-01

Abstract:Deep learning models have shown their vulnerabilities to universal adversarial perturbations (UAP), which are quasi-imperceptible. Compared to the conventional supervised UAPs that suffer from the knowledge of training data, the data-independent unsupervised UAPs are more applicable. Existing unsupervised methods fail to take advantage of the model uncertainty to produce robust perturbations. In this paper, we propose a new unsupervised universal adversarial perturbation method, termed as Prior Driven Uncertainty Approximation (PD-UA), to generate a robust UAP by fully exploiting the model uncertainty at each network layer. Specifically, a Monte Carlo sampling method is deployed to activate more neurons to increase the model uncertainty for a better adversarial perturbation. Thereafter, a textural bias prior to revealing a statistical uncertainty is proposed, which helps to improve the attacking performance. The UAP is crafted by the stochastic gradient descent algorithm with a boosted momentum optimizer, and a Laplacian pyramid frequency model is finally used to maintain the statistical uncertainty. Extensive experiments demonstrate that our method achieves well attacking performances on the ImageNet validation set, and significantly improves the fooling rate compared with the state-of-the-art methods.

Liang-bo Ning,Zeyu Dai,Wenqi Fan,Jingran Su,Chao Pan,Luning Wang,Qing Li

2024-08-03

Abstract:Deep neural networks (DNNs) have significantly boosted the performance of many challenging tasks. Despite the great development, DNNs have also exposed their vulnerability. Recent studies have shown that adversaries can manipulate the predictions of DNNs by adding a universal adversarial perturbation (UAP) to benign samples. On the other hand, increasing efforts have been made to help users understand and explain the inner working of DNNs by highlighting the most informative parts (i.e., attribution maps) of samples with respect to their predictions. Moreover, we first empirically find that such attribution maps between benign and adversarial examples have a significant discrepancy, which has the potential to detect universal adversarial perturbations for defending against adversarial attacks. This finding motivates us to further investigate a new research problem: whether there exist universal adversarial perturbations that are able to jointly attack DNNs classifier and its interpretation with malicious desires. It is challenging to give an explicit answer since these two objectives are seemingly conflicting. In this paper, we propose a novel attacking framework to generate joint universal adversarial perturbations (JUAP), which can fool the DNNs model and misguide the inspection from interpreters simultaneously. Comprehensive experiments on various datasets demonstrate the effectiveness of the proposed method JUAP for joint attacks. To the best of our knowledge, this is the first effort to study UAP for jointly attacking both DNNs and interpretations.

Cryptography and Security,Artificial Intelligence

Maosen Li,Yanhua Yang,Kun Wei,Xu Yang,Heng Huang

DOI: https://doi.org/10.1609/aaai.v36i2.20023

2022-06-28

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Deep learning models have shown to be susceptible to universal adversarial perturbation (UAP), which has aroused wide concerns in the community. Compared with the conventional adversarial attacks that generate adversarial samples at the instance level, UAP can fool the target model for different instances with only a single perturbation, enabling us to evaluate the robustness of the model from a more effective and accurate perspective. The existing universal attack methods fail to exploit the differences and connections between the instance and universal levels to produce dominant perturbations. To address this challenge, we propose a new universal attack method that unifies instance-specific and universal attacks from a feature perspective to generate a more dominant UAP. Specifically, we reformulate the UAP generation task as a minimax optimization problem and then utilize the instance-specific attack method to solve the minimization problem thereby obtaining better training data for generating UAP. At the same time, we also introduce a consistency regularizer to explore the relationship between training data, thus further improving the dominance of the generated UAP. Furthermore, our method is generic with no additional assumptions about the training data and hence can be applied to both data-dependent (supervised) and data-independent (unsupervised) manners. Extensive experiments demonstrate that the proposed method improves the performance by a significant margin over the existing methods in both data-dependent and data-independent settings. Code is available at https://github.com/lisenxd/AT-UAP.

Jun Yan,Huilin Yin,Wancheng Ge,Li Liu

DOI: https://doi.org/10.1016/j.displa.2023.102479

IF: 3.074

2023-07-08

Displays

Abstract:The research on universal adversarial perturbations (UAPs) is significant to trustworthy deep learning. To disentangle the UAPs with the training data dependency and the target model dependency, the exploration of procedural noise functions is a feasible method. However, the current procedural adversarial noise attack method has several characteristics like visually significant anisotropy and gradient artifacts that may impact the stealthiness of adversarial examples. This study proposes a novel model-free and data-free UAP method based on the procedural noise functions with two variants: Simplex noise attack and Worley noise attack. The attack method can achieve deceit on the neural networks with a more aesthetic rendering effect. A detailed empirical study is provided to validate the effectiveness of the proposed attack method. The extensive experiments show that the UAPs generated by the proposed method achieve considerable attack performance on the ImageNet dataset and the CIFAR-10 dataset. Moreover, this study implements the performance evaluation and robustness analysis of existing defense methods against the proposed UAPs. It has the potential to enhance research on the robustness of neural networks in real applications. The code is available at https://github.com/momo1986/adversarial_example_simplex_worley .

engineering, electrical & electronic,instruments & instrumentation,optics,computer science, hardware & architecture

Haoran Gao,Hua Zhang,Xin Zhang,Wenmin Li,Jiahui Wang,Fei Gao

DOI: https://doi.org/10.1016/j.neunet.2023.06.006

IF: 7.8

2023-06-10

Neural Networks

Abstract:The main aim of class discriminative universal adversarial perturbations (CD-UAPs) is that the adversary can flexibly control the targeted class and influence remaining classes limitedly. CD-UAPs generated by the existing attack strategies suffer from a high fooling ratio of non-targeted source classes under non-targeted and targeted attacks, and face the increasing risk of discovery. In this paper, we propose a training framework for generating enhanced covertness CD-UAPs. It trains the targeted source class set and the non-targeted source classes set alternately to update the perturbation and introduces logit pairing to mitigate the influence of perturbation on the non-targeted source classes set. Further, we extend CD-UAPs on the targeted (one-targeted) attack to the multi-targeted attack, which perturbs a targeted source class to multiple targeted sink classes that seriously threaten the current scenario. It can not only provides the adversary with freedom of precise attack but reduces the risk of being detected. This attack poses a strong threat to security-sensitive applications. Extensive experiments on the CIFAR-10, CIFAR-100 and ImageNet datasets show our method can generate more deceptive perturbations and enhance the covertness of CD-UAPs. For example, our method improves the absolute fooling ratio gaps of ResNet-20 and VGG-16 by 9.46% and 6.94% compared with the baseline method, respectively. We achieve the multi-targeted attack with a high fooling ratio on the GTSRB dataset. The average absolute target fooling ratio gaps of ResNet-20 and VGG-16 are 81.89% and 76.33%, respectively.

computer science, artificial intelligence,neurosciences

Jing Wu,Mingyi Zhou,Shuaicheng Liu,Yipeng Liu,Ce Zhu

2020-01-01

Abstract: A single perturbation can pose the most natural images to be misclassified by classifiers. In black-box setting, current universal adversarial attack methods utilize substitute models to generate the perturbation, then apply the perturbation to the attacked model. However, this transfer often produces inferior results. In this study, we directly work in the black-box setting to generate the universal adversarial perturbation. Besides, we aim to design an adversary generating a single perturbation having texture like stripes based on orthogonal matrix, as the top convolutional layers are sensitive to stripes. To this end, we propose an efficient Decision-based Universal Attack (DUAttack). With few data, the proposed adversary computes the perturbation based solely on the final inferred labels, but good transferability has been realized not only across models but also span different vision tasks. The effectiveness of DUAttack is validated through comparisons with other state-of-the-art attacks. The efficiency of DUAttack is also demonstrated on real world settings including the Microsoft Azure. In addition, several representative defense methods are struggling with DUAttack, indicating the practicability of the proposed method.

Kenneth T. Co,Luis Muñoz-González,Leslie Kanthan,Emil C. Lupu

DOI: https://doi.org/10.48550/arXiv.2105.07334

2021-05-23

Abstract:Universal Adversarial Perturbations (UAPs) are a prominent class of adversarial examples that exploit the systemic vulnerabilities and enable physically realizable and robust attacks against Deep Neural Networks (DNNs). UAPs generalize across many different inputs; this leads to realistic and effective attacks that can be applied at scale. In this paper we propose HyperNeuron, an efficient and scalable algorithm that allows for the real-time detection of UAPs by identifying suspicious neuron hyper-activations. Our results show the effectiveness of HyperNeuron on multiple tasks (image classification, object detection), against a wide variety of universal attacks, and in realistic scenarios, like perceptual ad-blocking and adversarial patches. HyperNeuron is able to simultaneously detect both adversarial mask and patch UAPs with comparable or better performance than existing UAP defenses whilst introducing a significantly reduced latency of only 0.86 milliseconds per image. This suggests that many realistic and practical universal attacks can be reliably mitigated in real-time, which shows promise for the robust deployment of machine learning systems.

Machine Learning,Artificial Intelligence,Cryptography and Security,Computer Vision and Pattern Recognition

Jiazhu Dai,Le Shu

DOI: https://doi.org/10.48550/arXiv.1911.01172

2020-01-06

Abstract:Convolutional neural networks (CNN) have become one of the most popular machine learning tools and are being applied in various tasks, however, CNN models are vulnerable to universal perturbations, which are usually human-imperceptible but can cause natural images to be misclassified with high probability. One of the state-of-the-art algorithms to generate universal perturbations is known as UAP. UAP only aggregates the minimal perturbations in every iteration, which will lead to generated universal perturbation whose magnitude cannot rise up efficiently and cause a slow generation. In this paper, we proposed an optimized algorithm to improve the performance of crafting universal perturbations based on orientation of perturbation vectors. At each iteration, instead of choosing minimal perturbation vector with respect to each image, we aggregate the current instance of universal perturbation with the perturbation which has similar orientation to the former so that the magnitude of the aggregation will rise up as large as possible at every iteration. The experiment results show that we get universal perturbations in a shorter time and with a smaller number of training images. Furthermore, we observe in experiments that universal perturbations generated by our proposed algorithm have an average increment of fooling rate by 9% in white-box attacks and black-box attacks comparing with universal perturbations generated by UAP.

Machine Learning

Xuanshen Wan,Wei Liu,Chaoyang Niu,Wanjie Lu,Meng Du,Yuanli Li

DOI: https://doi.org/10.1109/jstars.2024.3384188

IF: 4.715

2024-04-30

IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing

Abstract:Synthetic aperture radar automatic target recognition (SAR-ATR) models based on deep neural networks (DNNs) are vulnerable to attacks of adversarial examples. Universal adversarial attack algorithms can help evaluate and improve the robustness of the SAR-ATR models and have become a research hotspot. However, current universal adversarial attack algorithms have limitations. First, considering the difficulty in obtaining information on the attacking SAR-ATR models, there is an urgent need to design a universal adversarial attack algorithm under a black-box scenario. Second, given the difficulty of acquiring synthetic aperture radar images, the effectiveness of attacks under small-sample conditions requires improvement. To address these limitations, this study proposed a black-box universal adversarial attack algorithm: transferable universal adversarial network (TUAN). Based on the idea of the generative adversarial network, we implemented the game of generator and attenuator to improve the transferability of universal adversarial perturbation (UAP). We designed loss functions for the generator and the attenuator, respectively, which can effectively improve the success rate of black-box attacks and the stealthiness of attacks. In addition, U-Net was used as a network structure of the generator and the attenuator to fully learn the distribution of examples, thereby enhancing the attack success rate under small-sample conditions. The TUAN attained a higher black-box attack success rate and superior stealthiness than up-to-date UAP algorithms in non-targeted and targeted attacks.

engineering, electrical & electronic,imaging science & photographic technology,remote sensing,geography, physical

Chao Wang,Xianglin Wei,Jianhua Fan,Yongyang Hu,Long Yu

DOI: https://doi.org/10.1109/jiot.2023.3254648

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:In spite of unique advantages like higher recognition accuracy and better generalization capability, Automatic Modulation Classification (AMC) oriented Deep Neural Networks (ADNNs) are still vulnerable to adversarial examples (AEs). Recent results revealed that an attacker can easily fool ADNNs through adding a small and imperceptible perturbation to the original signal. Among different AE generation methods, Universal Adversarial Perturbation (UAP) has unique characteristics including input-agnostic and shift-invariance. However, applying UAP directly to RF signals faces three main challenges, i.e., perturbation neutralization, high perceptibility, and dependency of original signals. In this backdrop, a novel Universal Adversarial Perturbation under Frequency and Data constraints (UAP-FD) attack is put forward for solving these problems in this paper. First, an individual perturbation is filtered based on the representation visualization algorithm to counter the neutralization problem in perturbation integration. Second, the high-frequency components in the integrated UAP is eliminated through signal decomposition and reconstruction for promoting the imperceptibility. Third, a proxy signal generation method is proposed to help UAP-FD adapt to data-free black-box settings. A series of experiments is conducted to evaluate the aggressiveness and imperceptibility of UAP-FD attack in different settings on a public dataset. Results show that, compared with existing proposal, UAP-FD has a 40% higher fooling rate, and it can reduce the accuracy of the ADNN model from 83% to 9%, while maintaining a good imperceptibility and shift-invariance property. In addition, UAP-FD is applied to real world captured signals over the transmission channel; and it can reduce the model accuracy from 98.3% to 12.5%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jie Li,Rongrong Ji,Hong Liu,Xiaopeng Hong,Yue Gao,Qi Tian

DOI: https://doi.org/10.48550/arXiv.1812.00552

2019-09-11

Abstract:Universal adversarial perturbations (UAPs), a.k.a. input-agnostic perturbations, has been proved to exist and be able to fool cutting-edge deep learning models on most of the data samples. Existing UAP methods mainly focus on attacking image classification models. Nevertheless, little attention has been paid to attacking image retrieval systems. In this paper, we make the first attempt in attacking image retrieval systems. Concretely, image retrieval attack is to make the retrieval system return irrelevant images to the query at the top ranking list. It plays an important role to corrupt the neighbourhood relationships among features in image retrieval attack. To this end, we propose a novel method to generate retrieval-against UAP to break the neighbourhood relationships of image features via degrading the corresponding ranking metric. To expand the attack method to scenarios with varying input sizes or untouchable network parameters, a multi-scale random resizing scheme and a ranking distillation strategy are proposed. We evaluate the proposed method on four widely-used image retrieval datasets, and report a significant performance drop in terms of different metrics, such as mAP and mP@10. Finally, we test our attack methods on the real-world visual search engine, i.e., Google Images, which demonstrates the practical potentials of our methods.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Jiawei Zhao,Lizhe Xie,Yuning Zhang,Siqi Gu,Zheng Wang,Yining Hu

DOI: https://doi.org/10.2139/ssrn.4850545

2024-01-01

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. The existence of adversarial examples significantly hinders the development of deep learning technologies in domains with high-security requirements. However, current defense methods often lack universality, being effective only against specific adversarial attacks. This study focuses on analyzing adversarial examples through changes in model attention, classifying attack algorithms into attention-shifting and attention-attenuation categories. To counter attention-shifting attacks, a defense module named Feature Pyramid-based Attention Space-guided (FPAS) is proposed, which spatially retracts the shifting attention in adversarial examples, thereby enhancing the model's overall defense capability. Attention-based Non-Local (ANL) is a proposed defense module to counter attention-attenuation attacks. This module enhances the model's focus on critical features, efficiently constructing a robust defense model with low implementation cost and minimal intrusion into the original model. By integrating FPAS and ANL into the Wide-ResNet model within a boosting framework, the study demonstrates their synergistic defense capability. Even with eight adversarial samples embedded with adversarial patches, our FPAS_at and ANL_at models demonstrated significant improvements over the baseline, enhancing the average defense rate by 5.47% and 7.74%, respectively. Extensive experiments confirm that this universal defense strategy offers comprehensive protection against adversarial attacks at a lower implementation cost compared to current mainstream defense methods, while also being adaptable for integration with existing defense strategies to further enhance adversarial robustness.

Yuhang Zhao,Kunqing Wang,Yuan Xue,Quanxin Zhang,Xiaosong Zhang

DOI: https://doi.org/10.1007/978-3-030-34139-8_7

2019-01-01

Abstract:With the continuous development of deep neural networks (DNNs), it has become the main means of solving problems in the field of computer vision. However, recent research has shown that deep neural networks are vulnerable to well-designed adversarial examples. In this paper, we used a deep neural network to generate adversarial examples to attack black-box object detectors. We trained a generation network to produce universal perturbations, achieving a cross-task attack against black-box object detectors. We demonstrated the feasibility of task-generalizable attacks. Our attack generated efficient universal perturbations on classifiers then attack object detectors. We proved the effectiveness of our attack on two representative object detectors: Faster R-CNN based on proposal and regression-based YOLOv3.